Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Rpc.rexd - just say no

1 view
Skip to first unread message

Jyrki Kuoppala

unread,
Jul 25, 1991, 1:51:01 PM7/25/91
to
On some vendors' OS releases (even quite recent releases), the sunrpc
service 'rexd' is configured to be turned on as default. If the
'rexd' server is running, anyone on the same TCP/IP network (meaning
anyone on the international Internet if the machine is connected to
the Internet) can gain easily access to the machine masquerading as
any other user than root. In most cases, due to a bug in many NFS
implementations, the intruder can also gain root access in a matter of
seconds. On most systems gaining root access is easy anyway after you
have access to _any_ user or system account of your choice.

The reason rexd works like this is not a bug. By design, rexd has no
access control built into it at all, so using rexd makes your system's
security as good as it would be if you had all your user and system
accounts except root without a password. Worse, it also lets everyone
mount filesystems from random places to your system.

What's even worse, on some systems rexd's manual page plain and simple
lies about a `secure' option, which doesn't exist. I hear that on
some newer systems the `-s' option works, but I wouldn't count on it,
with the history of rexd being like this.


You can check if your system is running rexd by giving the command
rpcinfo. Example:


output of `rpcinfo -p localhost':

program vers proto port
[ stuff deleted ]
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 2 udp 3319 rstatd
100001 3 udp 3319 rstatd
100017 1 tcp 1024 rexd
[ stuff deleted ]

If there's a line ending with 'rexd', then the system is very
vulnerable. Rexd can be turned off by editing the file
/etc/inetd.conf (on most recent systems) or /etc/servers (on some
older systems) and restaarting inetd with `kill -1 inetdpid', where
inetdpid is the process ID of inetd, found out with `ps'.

Don't confuse rpc.rexd with rexecd, like a version of COPS does.
rexecd is a relatively harmless TCP stream server, though on some very
old releases of a common workstation vendor there's also a security
hole (but not very serious unless you use `wheel' as a privileged
group). Rexecd asks a password, while rpc.rexd just believes
everything you tell it without asking any kind of proof.

//Jyrki

0 new messages